Details
-
Sub-task
-
Status: Open
-
Normal
-
Resolution: Unresolved
-
None
-
None
Description
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
Issue:
Use of getAllByName() to retrieve an IP addresses is not trustworthy. Attackers can spoof DNS entries.
The file LimitedLocalNodeFirstLocalBalancingPolicy.java calls getAllByName() on line 66.
LimitedLocalNodeFirstLocalBalancingPolicy.java, lines 64-72:
64 try 65 { 66 InetAddress[] addresses = InetAddress.getAllByName(replica); 67 Collections.addAll(replicaAddresses, addresses); 68 } 69 catch (UnknownHostException e) 70 { 71 logger.warn("Invalid replica host name: {}, skipping it", replica); 72 }